Unit 42, the Palo Alto Networks' threat intelligence arm, have published a detailed analysis of an ongoing attack campaign targeting Russia and South Korea. Using Bisonal malware, which has been under the radar for at least seven years, with this particular variant in the wild for four, the attackers have hit at least one defence company in Russia and an as yet unidentified organisation in South Korea.
That only 14 samples of the current attack campaign Bisonal variant have been collected by Unit 42, would suggest that it is being used rather sparingly. Which, in turn, suggests it may well be a nation-state player using it. Indeed, the variant has re-written large tracts of the original Bisonal malware code dealing with network communication and in order to better maintain a persistent presence. Again, indicative of the kind of Advance Persistent Threat (APT) campaign favoured by nation-state actors.
The target in Russia was a defence company supplying communication security services and products, specialising in encryption and cryptographic services. While the South Korean organisation targeted has yet to be identified, it received malware dropper disguised as a PDF document in the same way as the Russian attack. The South Korean document title translates to '2018 Korean Coast Guard Government Employee (Grade 7, Grade 9' while the Russian document translates to 'A comprehensive project to create housing and construction cooperatives for defence workers.' Yet the South Korean dropper code itself was entirely different, suggesting that the threat actor is happy to put effort into resourcing highly customised attacks. Again, indicative of nation-state actors.
In the blog entry detailing the attack campaign, Unit 42 states that "we are still investigating the connection between the latest attacks... and the previous Bisonal attacks reported by industry colleagues. The targets are military or defense industry in particular countries. We currently belive one group is behind these attacks."
In conversation with SC Media UK, Alex Hinchliffe, Threat Intelligence Analyst at Unit 42, said that Bisonal being under the radar for so long isn't at all unusual. "Targeted attacks are regularly designed specifically to evade detection. That means that well-crafted variants can be in use without detection for some time" Hinchliffe says, adding "by limiting their targets, they are able to tightly control where, and how many, of their tools are deployed against any given target. This naturally makes it harder for researchers to discover the malware and even more so for widespread detections to be put in place."
SC Media UK reached out to the security industry to ask what danger such campaigns pose to enterprises in the West, which have no connections to these countries or government? Dr Johannes Ullrich, Dean of Research, SANS Institute of Technology, points out that while "Bisonal may be limited in its distribution, other attacks use essentially identical techniques, and malware and command and control infrastructure is also reused in some cases."
Then there's the risk of supply chain infiltration by the attackers. "Some threats could be used to compromise a victim’s systems and move laterally or spread to other third-parties by using various mechanisms" says Liviu Arsene, Senior e-Threat Analyst at Bitdefender "such as credential theft or compromised emails." Ross Rustici, Senior Director of Intelligence Services at Cybereason, told SC Media UK that "these specific campaigns pose little direct threat to the West, however, the overall pattern of targeting should concern anyone who is in similar spaces in the West. If this actor is after military capabilities and weapon system secrets, it is only a matter of time before they try the same thing against the defense industries in the UK, EU, and USA."
Some argue that the real risk to business is that the malware exists at all. "We’ve already seen this with Stuxnet where digital certificates were stolen for a specific purpose" Kevin Bocek, Chief Cybersecurity Strategist at Venafi points out. "Fast forward several years and there are now over 22 million pieces of malware using compromised or fraudulent digital certificates and major attacks on the financial system and critical infrastructure have all been orchestrated using the Stuxnet blueprint."
Bas Alberts, VP Security Projects at Cyxtera, wanted to talk risk mitigation for business. This is best built around proper data classification, network segmentation, and threat modeling he says. "Running adversary simulation exercises is a good way to start getting a handle on what the risk profile for your enterprise is when it comes to APT level actors" Alberts concludes. However, David Atkinson, CEO of Senseon, adds that "CISOs investing in threat intelligence alone which is normally injecting into their SIEMs and drive hunts for malware would have not found this attack until the game was up, as the adversary used indicators which were unique to each target."